Facebook doesn’t take too kindly to being hacked. This was made rather apparent this week when a young man was sentenced to eight months in prison for hacking the social networking site.
Reuters is reporting that Glenn Mangham, a 26-year-old British student, said that he hacked Facebook from his parent’s house last year. The hack was apparently so severe that Facebook thought that they were dealing with “major industrial espionage.”
“This was the most extensive and flagrant incidence of social media hacking to be brought before British courts,” Alison Saunders, London’s Chief Prosecutor, said. “Fortunately, this did not involve any personal user data being compromised.”
Facebook took notice of the hack in April of last year and called the FBI to track the source. Once confirming the source of the hack, British police raided the home of Mangham in June.
This apparently was caused by Mangham wanting to help Facebook improve their security. He had reportedly once been hired by Yahoo to improve their security. The explanation was tossed out by the prosecution. They said that the hack couldn’t be anything but malicious.
What may have been a major factor in the case is that Facebook had reportedly spent $200,000 in dealing with the hack.
The judge made a point to use Mangham as an example to other would-be hackers by saying that these kind of attacks have “real consequences” and could be “utterly disastrous” for Web sites like Facebook.
The lesson to be learned in all of this is that you shouldn’t hack a Web site unless you’re hired by them to improve their security. Don’t just hack a Web site hoping to get a job with their security team. You’re more than likely going to end up in prison.
You may remember late last year that Steam, Valve’s digital distribution platform, was hacked and taken down for a while. The extent of the damage wasn’t exactly known until now.
On Friday, Gabe Newell took to Steam to tell users exactly what happened:
Dear Steam Users and Steam Forum Users:
We continue our investigation of last year’s intrusion with the help of outside security experts. In my last note about this, I described how intruders had accessed our Steam database but we found no evidence that the intruders took information from that database. That is still the case.
Recently we learned that it is probable that the intruders obtained a copy of a backup file with information about Steam transactions between 2004 and 2008. This backup file contained user names, email addresses, encrypted billing addresses and encrypted credit card information. It did not include Steam passwords.
We do not have any evidence that the encrypted credit card numbers or billing addresses have been compromised. However as I said in November it’s a good idea to watch your credit card activity and statements. And of course keeping Steam Guard on is a good idea as well.
We are still investigating and working with law enforcement authorities. Some state laws require a more formal notice of this incident so some of you will get that notice, but we wanted to update everyone with this new information now.
Gabe
This is a good example of a company being frank and open with their customers about their data. It’s a far cry from Sony’s mishandling of their own hack attack last year that saw the company taking their sweet time to let customers know that their data was compromised.
Remember to take Gabe’s advice, kids. If you still have the same credit card number from 2004 to 2008, watch your bank account like a hawk just in case.
Researchers have been working with Google Wallet, and yesterday they outlined a complex way to crack Wallet’s PIN. This leaves the funds connected to the number vulnerable to theft. The researchers report that the hack job doesn’t require any special tools or software or even any special skill for that matter.
The method requires only that a user clear the data for the Google Wallet app in the phone’s applications settings menu and then enter a new pin when prompted to do so. This is the second security problem that has been reported with Google Wallet. Users might want to think twice about keeping this thing around.
The Web site hacking and dumping of info will not stop – next up is the United Nations.
A hacker going by the handle Casi dumped information from the United Nations Web site yesterday that contained many vulnerabilities that other hackers could use to get inside the UN’s database to cause some real damage.
I guess the question here is why did Casi hack the UN? Well, he tells us himself:
I fuck actually system… I fighting for Internet Freedom, equiality & rights for all. You’re FREEDOM my brothers & my sisters ! <3
What does it mean? I don’t know, but it must have been a pretty good reason to expose almost every weakness currently in the UN’s database.
Similarly, the reason behind listing the vulnerabilities is just as cryptic:
I give vulnerabilities because it’s fucking asshole ! We are FREEDOm !
We are clearly dealing with a criminal mastermind here, or maybe not according to Aaron Titus, Chief Privacy Officer for Identity Finder. Speaking to Fox News’ New York affiliate, he said that the breach was a “very simple attack” and that the UN “could have prevented this very easily and should have prevented it.”
So it seems that the UN just has bad cyber security. It must be embarrassing for the them to be hacked by such a basic SQL injection attack.
Passwords were not exposed, but the real danger lies in what other hackers can do with the information. Identity Finder has reached out to the UN to alert them of the potential danger, but the organization has not replied.
With all these hacks, it’s just a matter of time until every governmental organization’s Web site is laid bare for the world to see. I personally can’t wait to see the database for the White House’s Web site. It must be so scandalous, probably full of photos of the President’s pet.
Anonymous is at it again with their latest hacking escapade. This time they targeted the UK police and FBI.
UK police and the FBI held a conference call last week concerning cyber security, especially focusing on Anonymous and LulzSec members. The email planning the conference call was intercepted by Anonymous and shared on the net.
Naked Security confirms that the email titled “Anon-Lulz International Coordination Call” was sent to “over 40 law enforcement officers in the USA, UK, Ireland, Netherlands, France and Sweden.”
Anonymous used the leaked email to get into the phone conference and record the entirety of it. The entire 16 minute conversation has been uploaded to YouTube, among other places.
The conversation details the continued investigation into Anonymous and LulzSec. While most of the names of the hackers are censored, two hackers are explicitly named – Jake Davis (suspected of being the public face of Anonymous) and Ryan Clearly (who allegedly launched a DDoS attack on the Serious Organised Crime Agency’s Web site).
The FBI and UK Police did finally confirm that their call was intercepted, but the damage was already done.
Anonymous has, of course, been poking fun at the FBI since the hack was made clear:
In the race to sign up more and more customers, credit card companies have been promoting the idea that it is more convenient and less socially awkward to swipe a credit card than to pull out cash or write a check. Who wants to feel the burning embarrassment in the checkout line as you bring everything to a screeching halt to write a check or pay with cash?
And now, swiping is on the way out thanks to RFID (radio-frequency identification). Rather than assign you a plastic card with magnetic stripe, credit card companies are moving toward chips programmed with your relevant information. Have a credit card that says “PayPass” on it? Then you have RFID.
RFID is not new. I once worked a security job where I was assigned an ID card that I passed in front of a scanner at every door I entered. The chip in the card was passive, but got its power from the scanner itself when placed near it. Many of us guards learned that we did not even have to pull our cards out of our wallets, but simply wave the entire wallet in front of the scanner.
And, you can see where this is going.
In the old days (i.e. now), credit card thieves might work at a ritzy restaurant for a bit, harvesting card info with a mag stripe reader they could hide in their vest. Trouble with that was that all those cards had one thing in common: they were all used at that restaurant. On the thief’s shift. At his tables. Arrest was quick.
For about $300, you can purchase a cordless RFID scanning device online. It does have to be pretty close to, but not in contact with, a chip in order to power it and read it.
So, imagine: You get into a crowd, start bumping into people’s purses, back pockets, collecting card info with your scanner. Maybe on the subway, where everyone is headed to somewhere else. Your victim base is decentralized. That’s the first step.
Then, you transfer the card info to a cheap mag stripe card. You can buy them in bulk for 30 cents a piece. Hotels and department stores use them all the time. That equipment to do it will set you back another $350. That done, you now have a clone of that person’s credit card.
From there, it’s all up to what manner of crook you want to be. Sell those card clones for $50 each? For a night on the town, that beats Groupon deals. Hook up with the right gangs in a city or overseas buyers online and you could move many of those at a time.
Or, you could swipe them yourself with smartphone accessories straight into an account. Given the right bank, that could work. Fold them into a grander money-laundering scheme?
What if you paid runners a buck apiece to wander subways, concert halls, and other thickly populated areas with your readers tucked away?
Let’s do the math on one simple scenario that does not involve any cohorts, just willing buyers you meet online and $700 in readily-available equipment. Scan 100 RFID chips per day (easy in crowded areas) and you can recoup that investment in your first day’s “work”. After that, $30 worth of blank cards per day nets you $5,000 from your buyers. $25,000 per 5-day work week. Take a couple weeks vacation each year, like normal folk. Clear $1,250,000 your first year grinding.
Beats a job. Beats selling drugs. Do it all yourself out of an apartment.
If you’re crooked.
All this is possible because credit card companies want you to be embarrassed to pay with cash or check. Their commercials show you inconveniencing people in line behind you, then tell you their products are for *your* convenience. They make it easy to swipe, easy to lose track of your spending. Credit and overdraft fees rack up when you are out of touch with your spending.
And now, they make it easier than ever for thieves to steal you money by taking the card-in-my-hands factor out of the equation. Your info is now broadcast, albeit over a short distance.
It has been well documented that if privacy is what you want, the Color app is not for you. Color, of course, is the much talked about new app that allows users to share photos effortlessly with anyone and everyone in their vicinity.
Well, apparently that last part is a bit malleable.
Turns out the perception of one’s location is good enough to fool Color into letting you invade photostreams anywhere, anytime. Within hours of its release, Veracode CTO Chris Wysopal tweeted:
When he tested it out, he found that he could go anywhere and see anything – much easier than expected. He used a jailbroken iPad and an app called FakeLocation. With this app, he was allowed to bypass the iPad’s GPS and set his location to anywhere in the world.
I’m sure most of you can see where this is going.
When he opened the Color app, bingo! He could now browse all the photos from an area hundreds of miles away. “This only took about five minutes to download the FakeLocation app and try a few locations where I figured there would be early adopters who like trying out the latest apps,” Wysopal told Forbes’ Andy Greenberg. “No hacking involved.”
To prove his success, Wysopal (in New York City) sent Greenberg a screencap of Color CEO Bill Nguyen’s photostream (Palo Alto, California):
Once again, this “cheat” is not ruffling any feathers over at Color headquarters. As a spokesman said to Forbes, they never promised privacy. “It is all public, and we’ve been very clear about that from the very beginning. Within the app, there’s already functionality to look through the entire social graph. Very few people will probably do what you’re saying, but all the pictures, all the comments, all the videos are out there for the public to see.”
And how many Color users, happy to share their photos with any stranger around them, would really care that the stranger lives in another state – or country?
